Re: Unusual DNS requests (not related to previous DNS thread)

From: Ryan Russell (ryanat_private)
Date: Tue Jan 15 2002 - 10:14:36 PST

  • Next message: Greg A. Woods: "Re: Unusual DNS requests (not related to previous DNS thread)"

    On Mon, 14 Jan 2002 measlat_private wrote:
    
    >
    > So far, so good.  The request is for a PTR
    > record: 0.xxx.xxx.xx.in-addr.arpa.  No, that's not a typo, they are
    > requesting reverse for the network address at .0.
    
    Don't get too worried about the 0. part... recall that these are in
    reverse order, so the guy is asking for a name for x.y.z.0.  Or maybe
    that's what you were worried about.  It's not common but, depending on
    subnet mask, .0 addresses aren't always reserved.
    
    > A packet capture shows
    > absolutely nothing out of the ordinary, other than the freaky request, and
    > the regularity of the requests, about one request every five seconds, round
    > the clock.
    
    So this begs the question... is this DNS server supposed to be serving
    in-addr.arpa records?  I.e. is it reverse for some network addresss range?
    If so, is there a possibility that that network range is a smurf
    amplifier?
    
    					Ryan
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 13:10:12 PST